Added gate and workflow_run trigger for CI

[robgruen]

• Added gate workflow which checks user's permissions and returns success/failure based on their write access to the repo
• Updated CI workflow so that it is only triggered after gate workflow (can still be triggered manually)
• Left security checks in CI just in case it gets run without the Gate trigger.
  (solution for Test failures send too much email #134 )

[gvanrossum]

In case you've been struggling with this, I just realized that the current workflow (at least on main) uses ci.yml from main. This follows from the pull_request_target semantics of starting with main.

[robgruen]

Actually it's more a function of the workflow_run trigger. By design it won't work unless the source of the target (in this case gate.yml) exists in the default branch. This is by design for security.

…

________________________________ From: Guido van Rossum ***@***.***> Sent: Wednesday, December 31, 2025 2:44 PM To: microsoft/typeagent-py ***@***.***> Cc: Robert Gruen ***@***.***>; Author ***@***.***> Subject: Re: [microsoft/typeagent-py] Added gate and workflow_run trigger for CI (PR #141) [https://avatars.githubusercontent.com/u/2894642?s=20&v=4]gvanrossum left a comment (microsoft/typeagent-py#141)<#141 (comment)> In case you've been struggling with this, I just realized that the current workflow (at least on main) uses ci.yml from main. This follows from the pull_request_target semantics of starting with main. — Reply to this email directly, view it on GitHub<#141 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AGBS6WLKO33H6DU6THW7MBD4ERGT5AVCNFSM6AAAAACQNJ5QRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTOMBSHE4DQMRSG4>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[gvanrossum]

Make this a draft PR?

[robgruen]

Make this a draft PR?

I think it's ready for approval. I just merged main back in so I had to restart it but other than that it's ready to go.